Resilient Playbook and automated actions for Threat Hunting and DFIR

Figure 1.40 is further elaborating on how the playbook that is eventually providing task instructions to the analyst teams looks like. Some initial triage task instructions are listed under the Stage 1 Analysis phase of the incident which are processed by the Security Operations team. Once completed, the incident is handed off to the Threat Hunting team for scoping the attack and developing further intelligence. As you can see, all the TTP task instructions regarding APT28 have been loaded into the Stage 2 Analysis phase of this playbook.

Figure 1.40: MITRE Playbook loads TTPs for APT28

It is important to note that the Threat Actors are watching the endeavours of the Cyber defense community exactly in the same way as we are observing their movements. We expect them to change their attack vectors once they know that we have identified these. This means that we need to be agile in Incident Response and quickly adapt to changing attack vectors.

Figure 1.41 is showing the details of the MITRE: Threat Hunting: Preparations task. The goal of this task is to identify additional TTPs that have been used by an attacker as part of the local compromise. Additional TTP task are loaded into the playbook once the question in the left bottom corner “Which additional TTPs have been identified” is answered. However, answering this question requires to first trigger the action CB Response: Threat Hunting demonstrated in figure 1.42.

Figure 1.41: MITRE Threat Hunting preparations

This actions pulls in the findings of Carbon Black (CB) Response into a Resilient data table named “MITRE TTP staging table" via an integration with the Carbon Black API for Python (CBAPI). More precisely, we have activated the Threat Intelligence (TI) named “MITRE Att&ck” within CB Response and configured it to generate alerts whenever some endpoint activity matches this TI.

Figure 1.42: MITRE TTP staging table – Threat Hunting

This allows the Threat Hunting team to triage the table details and switch to the CB Response UI as required in order to understand the individual TTP details by triggering ad-hoc queries and conducting live response.

Figure 1.43: Carbon Black Response UI – Threat Hunting

Once the Threat Hunting team works through the individual TTP tasks and scopes the attack, it provides additional intelligence to the Secops and DFIR teams. E.g. if it has identified that the attacker is about to exfiltrate data, they can advise the Secops team to limit the capabilities of the intruder. Also, as part of the scoping process the Threat Hunting team narrows down an attack to a few highly suspicious or confirmed compromised systems while scanning thousands or tens of thousands of endpoints.

Figure 1.44: Carbon Black Response UI continued – Threat Hunting

When a small amount of confirmed compromised systems has been identified, an automated action for creating a memory dump of each of these endpoints helps the Threat Hunting team in handing these images off to the DFIR team. The DFIR team can then go for the deep dive forensic analysis and work on a strategy for a fully-fledged remediation, eradication and recovery process.

Figure 1.46 shows additional automated actions in IBM Resilient that aid in further streamlining the security and forensic analysis as well as limit the capabilities of the intruder. E.g. the action CB RESPONSE: Create memdump creates a memory dump for the selected endpoint, VOLATILITY: Scan memory image allows to analyze the memory dump with the open source tool Volatility, A10: Activate SSL interception and A10: Deactivate SSL interception enables and disables SSL interception on the A10 SSL interception proxy and the action A10: Block IP address allows to block an IP address.

Figure 1.46: Additional actions for Secops, Threat Hunting and DFIR

The ultimate goal of the automations provisioned in Resilient is to drastically reduce analysis and response time as well as understand and keep track of the full scope and complete impact of an attack while allowing multiple Cyber Security teams to collaborate in a single platform.

For the remainder of this publication we will demonstrate how we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. Integral parts will be to demonstrate how security analysts will stay focused by using these playbooks and how they can drastically reduce the time to respond by leveraging Resilient automation and orchestration techniques. The security analysts will be able to watch the movements of the intruder and limit their capabilities while the L2/L3 teams will be working on a strategy to completely remove the intruder’s foothold (fully-fledged remediation, eradication and recovery) from the compromised environment.

with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Volatility and more . . .

This class is about Incident Response in a post-compromised environment.

In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.

The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems... Read more